1. Home
  2. Detection Strategies
  3. Behavioral Detection of Process Injection Across Platforms

Behavioral Detection of Process Injection Across Platforms

Technique Detected:  Process Injection | T1055

ID: DET0508
Domains: Enterprise
Analytics: AN1399, AN1400, AN1401
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1399

Detects process injection by correlating memory manipulation API calls (e.g., VirtualAllocEx, WriteProcessMemory), suspicious thread creation (e.g., CreateRemoteThread), and unusual DLL loads within another process's context.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
OS API Execution (DC0021) etw:Microsoft-Windows-Kernel-Process API calls
Mutable Elements
Field Description
AccessMask Specific access rights used during process handle acquisition, e.g., PROCESS_VM_WRITE
TimeWindow Time correlation window between API calls and thread creation events
InjectedProcessList Known high-value targets often abused for injection (e.g., lsass.exe, explorer.exe)

AN1400

Detects ptrace- or memfd-based process injection through audit logs capturing system calls (e.g., ptrace, mmap) targeting running processes along with suspicious file descriptors or memory writes.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) auditd:SYSCALL ptrace, mmap, process_vm_writev
File Access (DC0055) auditd:SYSCALL open
Process Modification (DC0020) linux:procfs /proc/[pid]/maps, /proc/[pid]/mem
Mutable Elements
Field Description
TargetPIDThreshold Limit to sensitive or unexpected processes being targeted (e.g., sshd, init)
TimeWindow Correlate mmap or writev usage to process access within a short timeframe

AN1401

Detects memory-based injection by monitoring task_for_pid, mach_vm_write, and dylib injection patterns through DYLD_INSERT_LIBRARIES or manual memory mapping.

Log Sources
Data Component Name Channel
Process Access (DC0035) macos:unifiedlog subsystem=com.apple.security, library=libsystem_kernel.dylib
Process Metadata (DC0034) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_MMAP
Module Load (DC0016) macos:syslog DYLD_INSERT_LIBRARIES anomalies
Mutable Elements
Field Description
TargetProcessSignature Expected signing identity or origin of process being injected
MachSyscallContext Observed syscall combinations (e.g., task_for_pid followed by vm_write)